cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2363
Views
0
Helpful
3
Replies

MobileIron MDM with ISE integration for VPN authentication and Apple iOS - UDID issue

clandrai
Cisco Employee
Cisco Employee

We are using ISE with MDM integration to verify compliance of Apple iPhones and iPads when they connect to a VPN.

Anyconnect client collect device information, notably Unique Device IDentifier (UDID) that are sent to the VPN headend and forwarded to the ISE as RADIUS AV pair.  ISE will then use the UDID to query the MDM server to retrieve the compliance attributes.

Problem: recent iOS version don't expose UDID to applications anymore, therefore the Anyconnect client is using a different type of Unique ID. This makes the MDM request to fail matching the device record, because the MDM database has the actual UDID in its database.

How is this problem usually solved?

Note that the problem doesn't exist with 802.1X authentication over Wireless.

We know that a way exists to have the MDM server assign a UID to a devices at enrollment time and it seems a good way forward, but can you share how this is done on supported MDM servers, especially MobileIron?

Thanks in advance

1 Accepted Solution

Accepted Solutions

Since TAC already engaged, please work with TAC. We may update this thread if it results in a bug filing.

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

Any particular MobileIron release? Any TAC case and/or bug id?

I am getting the MobileIron version details.

Tac case 682630154 was opened for this. Most troubleshooting was done onsite as this is a military environment and exporting logs in not always an option.

Best regards,

Christophe

Since TAC already engaged, please work with TAC. We may update this thread if it results in a bug filing.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: